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Members 

Ian Watmore (chair) Non-Executive Director 

Ailsa Beaton Non-Executive Director 

Roger Barlow Independent Audit Committee 
member 

Attendees: 

ICO 

Simon Entwisle Deputy Chief Executive Officer 

Christopher Graham Information Commissioner 

Louise Byers Head of Good Practice 

Heather Dove Head of Finance 

Internal Auditors 

Phil Keown Grant Thornton 

Paul Eckersley Grant Thornton 

External Auditors 

James Edmands National Audit Office (by telephone) 

David Eagles BDO 

Secretariat 

Peter Bloomfield Senior Corporate Governance Manager 

Neil Bostock Corporate Governance Officer 


1. Introductions and apologies 


1.1. There were apologies from Alison Langridge of BDO. 
James Edmands attended by telephone. 


2. Declaration of interests 
2.1. There were no declarations of interest. 


3. Matters arising from the Audit Committee meeting of 
the 9 March 2015 


3.1, The minutes of the meeting had been agreed by 
correspondence. There were no further comments. 


3.2. All action points had been cleared. 


4. Commissioner’s update 


4.1. The Commissioner provided an update on issues 
currently affecting the ICO including the recent general 
election and subsequent change in government and 
ministers, and the outstanding Triennial Review. There was 
no indication of any planned changes to freedom of 
information legislation. 


4.2. In respect of the Triennial Review it has been proposed 
that Christopher Graham and Ian Watmore meet with the 
head of the Challenge Group to discuss options. There was a 
need for Ministers to come to a decision soon, in particular in 
light of the timescale for recruiting a new Commissioner to be 
in place by 29 June 2016. 


4.3. The recruitment of a new Deputy Commissioner for Data 
Protection was in train with a decision expected by 10 July. 


4.4. A decision was still awaited from the Ministry of Justice 
(MOJ) on Wilmslow accommodation. The lease on Wycliffe 
House expires on 31 December 2016. Simon Entwisle advised 
that the MOJ had committed to complete the business case 
for the preferred option in time for the next ICO Management 
Board. 


4.5. There was movement on agreement of the EU data 
protection regulation. Final agreement was not expect till 
early 2016; followed by a two year period within which to 
implement the new regulation. 


4.6. The ICO had been suffering from IT problems for the 
last couple of weeks. The IT was back up and running but the 
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incident had highlighted the need to consider the impact of IT 
service contracts on IT resilience and recovery. 


4.7. The PCS work to rule had been suspended. 
Negotiations were now taking place on the July 2015 pay 
remit. The Remuneration Committee was meeting shortly. 


. External audit 


5.1, BDO and the NAO presented the final audit completion 
report 2014-15. 
5.2: The list of outstanding issues was updated. Only the 


pension information was still awaited. Historically it had 
proved difficult to get the required data from MyCSP and this 
year was proving no different. The Committee advised that 
the matter be escalated if need be. 


5:3: The implementation of the new finance system had 
been identified as a large risk. However, the process had 
gone very smoothly and the Finance team was commended 
for their hard work in making the transaction as smooth as it 
had been. 


5.4. The correct apportionment of the ICO’s two main 
funding streams had also been identified as a risk area. But 
BDO/NAO were content that money had been correctly 
apportioned. The only outstanding matter was for the ICO to 
ensure that the Framework Agreement with the MOJ was 
updated to reflect the in-year change in the apportionment 
model. This had not as yet been done as the Triennial Review 
may propose changes to the ICO which would also need to be 
reflected in the Framework Agreement. The ICO and MOJ had 
therefore agreed to delay reviewing the agreement until the 
results of the Triennial Review were known. 


5.5: The third risk area identified had been the risk of fraud 
arising from management override of controls. The auditors 
had found no evidence of this and were therefore providing a 
clean audit. 


5.6. The audit had identified a possible material 
misstatement in respect of property, plant and equipment 
dating back to 2009 that could not be identified. The 
accounts would have to be amended if the equipment could 
not be identified. [This point was subsequently cleared by the 
identification of much of the relevant equipment. ] 


Action point 1: Heather Dove to undertake further work 
to identify whether or not the property, plant and 
equipment existed. 


5.7. BDO/NAO noted that all of last year’s recommendations 
had been cleared. 


5.8. The draft letter of representation was discussed. It was 
agreed to amend the final paragraph of the letter to reflect 
that the one exit package during the year would be disclosed. 


Action point 2: James Edmands to correct the letter of 
representation. 


5.9. The Committee agreed that the identified misstatements 
should not be corrected. 


6. Risk Register 


6.1. The risk register had been updated since the last 
Management Board meeting, having been discussed by 
Executive Team and Leadership Group. 


6.2. Simon Entwisle advised that the ICO was still in 
negotiation with the MOJ over set the delegated capital 
expenditure limit of £100k. The ICO had requested £850k. 
Having to meet a much lower limit would seriously impact on 
the ability of the ICO to do its job. 


6.3. It was noted that a final decision might not be made 
until after the July emergency budget. 


6.4. There remained concerns about the lack of effective 
mitigation in certain areas. The Committee felt that 
Management Board discussion on risk appetite would be 
helpful to the ICO in deciding whether or not further 
mitigation was needed in some areas; eg public reputation, 
staff and finance. 


Action point 3: Peter Bloomfield to facilitate the 
bringing of a paper on risk appetite to the July 
Management Board. 


7. Strategy for registration fees 


7.1. Simon Entwisle introduced an update of a paper which 
had come to the last Management Board on the ICO strategy 
for registration fees. 


7.2. Since then a registration steering group had been set up 
to direct the work reviewing current registration and fee 
paying arrangements. Research had started on understanding 
the profile of the current register and on estimating the total 
number of registerable data controllers. The aim was to make 
any changes to the registration system by April 2016 if 


possible; ie the process would aim to influence the 2016-17 
budgeting process. 


7.3. It was the intention that any changes made in the near 
future would also work under the proposed EU data 
protection regulation. This, as it currently stood, removed the 
need for data controllers to register; however, proposals did 
not preclude charging data controllers a fee. If a fee was not 
charged data protection work would need to be funded by 
other means, for example grant in aid. 


7.4. The Committee expressed support for an information 
rights levy to provide funding for both data protection and 
freedom of information work. The MOJ and Treasury were 
concerned that such a system would result in the private 
sector cross subsidising freedom of information work. This 
would not necessarily need to be the case, if for example; 
public authorities were charged higher amounts. The NAO 
advised that decisions on this were policy matters for the 
MOJ. 


8. Outstanding audit recommendations 


8.1. Peter Bloomfield advised that the only outstanding 
internal audit recommendation was for the ICO to review its 
information rights strategy. This awaited the appointment of 
a new Deputy Director for Data Protection this autumn and a 
new Commissioner in June next year. 


8.2. The Committee noted the reasons for the delay and 
recommended that initial work on reviewing the information 
rights strategy could begin. 


Action point 4: Christopher Graham to consider how 
best to take forward initial work on reviewing the 
information rights strategy 


9. Internal audit 


9.1. Grant Thornton introduced reports on the Project Eagle 
lessons learnt review and the Follow up review. There was 
one low risk recommendation in the latter report relating to 
the collecting of evidence on clearance of audit 
recommendations. 


9.2. Grant Thornton also introduced their annual report. This 
detailed the audit work done during the 2014-15 year and 
provided a clean audit opinion. 


10. 
10.1. Peter Bloomfield presented the draft Audit Committee 


11. 


9.3. Finally the agreed audit plan for 2015-16 was presented 


for information. This involved more days of audit work but 
the cost was lower than previously due to the mix of staff 
used. 


ICO Audit Committee annual report 2014-15 


Annual Report 2014-15. This document helped inform the 
Commissioner's governance statement in the ICO Annual 
Report and Accounts 2014-15. An earlier draft had come to 
the March meeting and was coming to this meeting for final 
agreement now that the opinions of internal and external 
auditors had been given. There were no changes proposed. 


10.2. Peter Bloomfield confirmed that the report would be 


finalised and published shortly. 


ICO annual report and accounts 2014-15 


11.1. Peter Bloomfield presented the draft ICO Annual Report 


and Accounts 2014-15. The aim was to produce as near final 
draft as possible by Friday and to get it to the designers. 
Minor amendments could be made subsequent to this but 
they needed to be kept to a minimum. 


11.2. It was noted that pension information, as already 


discussed, was awaited. In addition the final draft would have 
to recognise decisions on the property, plant and equipment 
issue (action point 1 above). 


11.3. It was noted that the accounts included provision for 


dilapidations in respect of Wycliffe House. The possibility of 
dilapidations for the Wales and Scotland offices was 
mentioned in the accounts but no figure had been included. 


11.4. Heather Dove advised that any dilapidations for the two 


offices mentioned would be low and not material. However 
she would confirm the position. 


Action point 5: Heather Dove to confirm the position 
relating to dilapidations for the Scotland and Wales 
offices. 


11.5. There was a query over budget headings. These were 


clarified. 


11.6. In respect of sustainability reporting the Committee was 


advised that the ICO had not been including emissions from 


flights booked by staff directly. Accurate figures for 2014-15 
had now been collated. 


11.7. Christopher Graham advised the Committee that he had 
received an email from the MOJ that morning explaining that 
the Treasury consider that Treasury approval had been 
needed for the July 2014 increases in Deputy Commissioner 
salaries. Retrospective approval could be sought to regularise 
the payments. A small administrative penalty might be 
applied. 


11.8. It was agreed that the Commissioner, via the MOJ, 
would seek to gain retrospective approval for the payments. 
[Retrospective permission was subsequently given by the 
Treasury]. 


12. Integrated assurance 


12.1. Louise Byers considered that the integrated assurance 
process was now well embedded in the ICO. The next round 
of audits focused on HR activity such as recruitment and 
performance reporting had just been launched. This linked 
with areas agreed for internal audit. 


12.2. It was agreed that the committee no longer needed 
reports on integrated assurance as a standing item. Reports 
should be provided on an exceptional basis. 


13. Fraud, whistleblowing and security incidents 


13.1. Peter Bloomfield advised that there had been 15 non- 
significant incidents reported to the Information Governance 
manager during the last quarter of 2014-15. 


13.2. The Committee agreed to all members of the Executive 
Team being included in the list of people asked to contribute 
to the report on fraud, whistleblowing and security incidents. 


14. Any other urgent business 
14.1. There was no other business. 


